Search
  • Tim Burns

When a Secret is No Longer a Secret

Least Privilege on Shared Systems

Photo by Ben White on Unsplash


Extending secure access on a heterogeneous system can be complex. One component of the system may have access to a secret, but another may not. And, of course, when a secret gets out, it isn't a secret anymore.


I'm designing a secret system on a third-party data integration tool and I ran across this article.


https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/


Important takeaways:


  • Encrypt secrets

  • Without giving containers and services an identity, it is not possible to protect and restrict access to secrets with access control policies

  • Give identity to only the project that needs the resource, not the whole environment

  • Use ephemeral resources to pass secrets (like environment variables)

  • Give the ephemeral resources hard-to-guess names - MY_SECRET:(some md5 hash)

  • Keep track of who knows your secrets




10 views0 comments

Recent Posts

See All

I wasn't a good student

I filled out a form a few days back where they asked about my college transcripts. It made me realize that I wasn't a good student in college. I mostly got "C" grades with the occasional "B". I too

 
  • Facebook
  • Twitter
  • LinkedIn

©2019 by Owl Mountain Software, LLC. Proudly created with Wix.com